Payment Card Industry Data Security Standards Compliance

Overview

The ability to conduct credit card transactions has become a necessity for increased customer service, particularly with the increase in e-commerce. The University of Mary Washington recognizes that use of credit cards may stimulate sales in certain types of transactions and may increase the cash collections efficiency. The need to protect our customer’s credit cards data is essential. This website provides University departments with essential information regarding the requirements and best practices for payment card related activities.

What is PCI DSS?

PCI DSS stands for Payment Card Industry Data Security Standards. PCI Data Security Standards are national standards from the Payment Card Security Standards Council and apply to all organizations anywhere in the country that process, transmit or store credit cardholder data. The University and all departments that process payment card data have a contractual obligation to adhere to the PCI Data Security Standard (PCI-DSS). We must adhere to these standards to protect our customers and to continue to process payments using payment cards. Each year, departments and units that are conducting payment card activities must submit a self assessment questionnaire assuring their compliance with PCI DSS. These questionnaires are specifically tailored for each department by the University Finance and IT departments.

PCI Security Standards Council

The PCI Security Standards Council was founded by the major credit card industries (American Express, Discover Card, JCB, MasterCard, and Visa) to manage the continued development, communication, clarification, and implementation of the PCI standards. The PCI SSC website is the best resource for questions related to the standards.

PCI Self Assessment Instructions & Guidelines

This document from the PCI SSC SAQ website is designed to help answer questions related to the PCI standards. Please refer to the “Selecting the SAQ and Attestation that Best Apply to Your Organization” section to help you determine which Self-Assessment Questionnaire you should complete.

Navigating PCI DSS: Understanding the Intent of the Requirements

This document describes the 12 Payment Card Industry Data Security Standard (PCI DSS) requirements, along with guidance to explain the intent of each requirement. It is intended to provide a clearer understanding of the Payment Card Industry Data Security Standard, and the specific meaning and intention behind the detailed requirements to secure system components (servers, network, applications etc) that support cardholder data environments.

Golden Rules

  • NEVER record data in any electronic format (Excel files, databases, etc.) in accordance with the University’s Electronic Storage of Highly Sensitive Data Policy.
  • Do NOT request or send any credit card information by email. If someone emails their data to you, you should make them aware that, for their own safety, they should not do this again and you should delete the email as soon as possible.
  • Do NOT request, record, or store any of the magnetic stripe data or the credit card confirmation code (three digit on the back of many cards and 4 digits on the front of American Express. This is sometimes referred to as the “CVV 2” code).
  • Ensure that credit card terminals do NOT print the entire 16 digit credit card number on receipts. Only the last four digits should be printed.
  • Please do NOT offer to enter payment card data into a hosted (third-party) websites on behalf of a client. Doing so could expose your computer and every computer connected to it to keylogging, hackers, etc. We want to make sure that our client’s data is safe!

For more information about PCI DSS, or for information about taking credit card payments, email pci@umw.edu.